Month: May 2017

Enlarge / This is what Greyhound.com e-mails you when you forget your password.

When it comes to websites with bad password policies, there's no shortage of bad actors. Sites—some operated by banks or other financial services—that allow eight- or even six-character passwords, sometimes even allowing letters to be entered in either upper- or lower-case? Yup. Sites that e-mail forgotten passwords in plaintext? Sadly, all the time. Ars largely stopped reporting on them because they're better covered by Twitter accounts like this one.

But recently, I saw a site policy so bad I couldn't stay quiet. It's Greyhound.com, a site that among other things lets people book bus travel and redeem rewards for past trips. The site allows passwords as short as four characters—including 1234. And when a user forgets a password, Greyhound.com will send the plaintext of the PIN or password in e-mail, an indication that the site isn't using any sort of cryptographic hashing to protect user passwords in the event that Greyhound's database is ever breached.

Worst of all: Greyhound.com provides no mechanism for changing a password. Ever. If an account is breached or a password is compromised, the account is stuck with that bad passcode indefinitely. Last week, I explained to a Greyhound spokeswoman why password hashing and password resets were crucial to security and asked if her company had any plans to add them to Greyhound.com. Her response:

(credit: Kevin Krecji)

Tesla said on Friday that it would be ending SolarCity’s door-to-door solar panel sales. Instead, the photovoltaic installer will rely primarily on online sales and retail sales for residential panels.

In a statement to GreenTechMedia, a Tesla spokesperson said that the decision "reflects what most of our prospective customers prefer and will result in a better experience for them.” Tesla added that it expects to exceed any lost door-to-door sales via its other sales channels.

Of the salespeople once employed to knock on residential doors, Tesla's spokesperson also said that the “vast majority of affected employees will be reassigned or provided an opportunity to interview for other positions that will help support our expanded retail efforts.”

An individual or group going by the name "thedarkoverlord" has posted much of the upcoming season of Netflix's series Orange is the New Black, apparently as punishment for not paying an extortion demand. According to information obtained by Databreaches.net, the episodes were stolen from a post-production studio along with episodes from dozens of other television programs on Netflix and other networks. And the person or people behind the breach are not attempting to further extort the networks that distribute the programs.

Whoever is behind "thedarkoverlord" has  breached a number of small and mid-sized organizations' networks over the past year, apparently by exploiting common vulnerabilities in their websites to gain access. In each case, according to Twitter posts and Pastebin notes by the hacker or hackers, those responsible have posted proof of breaches to GitHub and attempted to extort payments in bitcoins from the victims, threatening to dump customer data and other records if they failed to comply. One target was a US Navy supplier, according to a report from DataBreaches.net (though no sensitive information was part of the breach).

Late last year, thedarkoverlord managed to stumble into a motherlode, apparently gaining access to the network of Larson Studios, an audio post-production company that serves many of the major television production companies. And with that access, it managed to steal nine episodes of the upcoming season of Netflix's series, Orange is the New Black, and claimed to have accessed content from 36 television series and one film. They attempted to extort 50 bitcoins from Larson, setting a January deadline. And when that deadline passed, they apparently decided to move on to extorting each of the companies producing the content individually.

Though Nintendo executives have hinted that the company might be interested in testing out the virtual reality waters, the most concrete look we've gotten at any potential plans comes from this patent application for a head-mounted Switch holster. An enterprising YouTuber wasn't willing to wait for that patent to become a product, though, and has jury-rigged an ersatz Switch "VR" demo using existing hardware and some system-level software hacks.

Nintendrew's video lays it all out pretty concisely, but in short, the test inserts the Switch into the Durovis Dive 7, a head-mounted VR holster designed for Tango-powered tablets. From there, it's just a matter of using a server proxy hack to access the Switch's hidden Web browser functionality, then using that to view some stereoscopic 720p footage of Ocarina of Time 3D captured for YouTube.

The result is a very limited demonstration of what virtual reality could be like on the Switch, lacking any sort of head-tracking or even controls. Still, as Nintendrew points out, it's "a full 3D experience on real Nintendo Switch hardware."

Verizon has always supported net neutrality. (credit: eBay/)

No major Internet service provider has done more to prevent implementation of net neutrality rules in the US than Verizon. After years of fighting the rules in courts of law and public opinion, Verizon is about to get what it wants as the Federal Communications Commission—now led by a former Verizon lawyer—prepares to eliminate the rules and the legal authority that allows them to be enforced.

But Verizon's general counsel Craig Silliman wants you to believe that Verizon never opposed net neutrality rules, even though it sued the FCC to eliminate them. He's also making the claim that the FCC isn't even talking about eliminating the net neutrality rules, even though FCC Chairman Ajit Pai is proposing to do exactly that.

Verizon on Friday released a video in which Silliman made these claims. "The FCC is not talking about killing the net neutrality rules, and in fact not we nor any other ISP are asking them to kill the open Internet rules," Silliman said. "All they're doing is looking to put the open Internet rules in an enforceable way on a different legal footing."

Enlarge / Both of these miniature NES systems share something in common: they're no longer being made.

Last we heard, the NES Classic Edition had sold 1.5 million units through the end of December, not nearly enough to meet apparently healthy demand during the holiday season and beyond. Now that the company has officially discontinued the plug-and-play box, Nintendo of America President Reggie Fils-Aime tells Time magazine they sold 2.3 million systems overall in just under six months.

For context, the Nintendo Switch sold more than that in less than a month, though direct comparison between a $60 nostalgia box and a newly introduced $300 hybrid console can be a bit difficult. In any case, long lines for the final shipments and high secondhand markups for existing systems suggest a lot of unfulfilled demand for the system still exists in the market.

The robust success of the NES Classic Edition really does seem to have caught Nintendo by surprise. "We had originally planned for this to be a product for last holiday," Fils-Aime told Time. "We just didn't anticipate how incredible the response would be. Once we saw that response, we added shipments and extended the product for as long as we could to meet more of that consumer demand."

Fortunately, when you burn webpages, they create no carbon emissions. (credit: EPA)

On Friday, the Trump administration removed all of the EPA's climate information from the agency's website. In its place was this announcement: "We are currently updating our website to reflect EPA's priorities under the leadership of President Trump and Administrator Pruitt."

The official EPA announcement of the changes says they're needed to "reflect the agency’s new direction under President Donald Trump and Administrator Scott Pruitt." Removing them, according to the EPA spokesman, was needed to "prevent confusion."

That confusion would be caused by the promotion of outdated policies that were put in place by the previous administration. Chief among those policies is the Clean Power Plan, the Obama Administration's response to climate change (the EPA announcement refers to it as "the so-called Clean Power Plan").